Deno 2.7 sharpens Node.js compatibility and stabilizes Temporal

Version 2.7 of the runtime for JavaScript and TypeScript stabilizes the Temporal API, introduces npm overrides, and ...
Cybernews

Malicious NPM package racks up 50,000 infections in days, developers fully compromised

A malicious NPM package, ambar-src, mimicking a popular JavaScript framework, was downloaded nearly 50,000 times in a few ...
The Hacker News

Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware

Four rogue NuGet packages and one npm package stole ASP.NET Identity data, deployed C2 backdoors, and reached over 50,000 downloads before removal.
Arabian Post

Microsoft flags malicious Next.js developer traps

Security researchers at Microsoft said the campaign targets developers who routinely clone public repositories for evaluation, collaboration or recruitment exercises. The attackers publish projects ...
InfoWorld

New npm worm hits CI pipelines and AI coding tools

Researchers warn malicious packages can harvest secrets, weaponize CI systems, and spread across projects while carrying a dormant wipe mechanism.
The Hacker News

Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens

The module targets Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (VS Code) Continue, and Windsurf. It also harvests API keys for nine large language models (LLM) providers: ...

North Korean Graphalgo Campaign Uses Fake Job Tests to Spread Malware Scam

A North Korean attack group is running a scam operation called the Graphalgo, wherein they use fake job schemes to deliver malware.
InfoWorld

Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud

A researcher at Koi Security says the two key platforms have not plugged the vulnerabilities enabling the worm attacks, and ‘the JavaScript ecosystem deserves better.’ Javascript developers should ...
CSOonline

Malicious npm packages target the n8n automation platform in a supply chain attack

Threat actors were spotted weaponizing the n8n automation ecosystem this week, slipping malicious npm packages into its marketplace of community-maintained nodes. The deceptive packages, disguised as ...
bitnewsbot

North Korean Hackers Flood npm with 197 Malicious Packages

North Korean threat actors behind the Contagious Interview campaign have deployed 197 new malicious packages on the npm registry since last month. These packages have been downloaded over 31,000 times ...
TechRepublic

Zapier NPM Hack Unleashes Self-Spreading Worm Attack

Threat actors have successfully weaponized Zapier’s compromised NPM account to unleash a digital weapon that’s creating chaos across the entire open-source ecosystem. This isn’t your typical data ...
SecurityWeek

640 NPM Packages Infected in New ‘Shai-Hulud’ Supply Chain Attack

The new self-replicating worm iteration has destructive capabilities, erasing home directory contents if it cannot spread to more repositories. Approximately 640 NPM packages have been infected with a ...